def test_used_reset_token(client, get_message): with capture_reset_password_requests() as requests: client.post("/reset", data=dict(email="*****@*****.**"), follow_redirects=True) token = requests[0]["token"] # use the token response = client.post( "/reset/" + token, data={ "password": "******", "password_confirm": "awesome sunset" }, follow_redirects=True, ) assert get_message("PASSWORD_RESET") in response.data logout(client) # attempt to use it a second time response2 = client.post( "/reset/" + token, data={ "password": "******", "password_confirm": "otherpassword" }, follow_redirects=True, ) msg = get_message("INVALID_RESET_PASSWORD_TOKEN") assert msg in response2.data
def test_password_normalization(app, client, get_message): with capture_reset_password_requests() as requests: response = client.post( "/reset", json=dict(email="*****@*****.**"), ) assert response.status_code == 200 token = requests[0]["token"] response = client.post( "/reset/" + token, json=dict(password="******", password_confirm="HöheHöhe"), ) assert response.status_code == 200 logout(client) # make sure can log in with new password both normnalized or not response = client.post( "/login", json=dict(email="*****@*****.**", password="******"), ) assert response.status_code == 200 # verify actually logged in response = client.get("/profile", follow_redirects=False) assert response.status_code == 200 logout(client) response = client.post( "/login", json=dict(email="*****@*****.**", password="******"), ) assert response.status_code == 200 # verify actually logged in response = client.get("/profile", follow_redirects=False) assert response.status_code == 200
def test_reset_token_deleted_user(app, client, get_message, sqlalchemy_datastore): with capture_reset_password_requests() as requests: client.post("/reset", data=dict(email="*****@*****.**"), follow_redirects=True) token = requests[0]["token"] # Delete user with app.app_context(): # load user (and role) to get into session so cascade delete works. user = app.security.datastore.find_user(email="*****@*****.**") sqlalchemy_datastore.delete(user) sqlalchemy_datastore.commit() response = client.post( "/reset/" + token, data={ "password": "******", "password_confirm": "newpassword" }, follow_redirects=True, ) msg = get_message("INVALID_RESET_PASSWORD_TOKEN") assert msg in response.data
def test_expired_reset_token(client, get_message): with capture_reset_password_requests() as requests: client.post("/reset", data=dict(email="*****@*****.**"), follow_redirects=True) user = requests[0]["user"] token = requests[0]["token"] time.sleep(1) with capture_flashes() as flashes: msg = get_message("PASSWORD_RESET_EXPIRED", within="1 milliseconds", email=user.email) # Test getting reset form with expired token response = client.get("/reset/" + token, follow_redirects=True) assert msg in response.data # Test trying to reset password with expired token response = client.post( "/reset/" + token, data={ "password": "******", "password_confirm": "newpassword" }, follow_redirects=True, ) assert msg in response.data assert len(flashes) == 2
def test_recover_invalidates_session(app, client): # Make sure that if we reset our password - prior sessions are invalidated. other_client = app.test_client() authenticate(other_client) response = other_client.get("/profile", follow_redirects=True) assert b"Profile Page" in response.data # use normal client to reset password with capture_reset_password_requests() as requests: response = client.post( "/reset", json=dict(email="*****@*****.**"), headers={"Content-Type": "application/json"}, ) assert response.headers["Content-Type"] == "application/json" assert response.status_code == 200 token = requests[0]["token"] # Test submitting a new password response = client.post( "/reset/" + token + "?include_auth_token", json=dict(password="******", password_confirm="awesome sunset"), headers={"Content-Type": "application/json"}, ) assert all(k in response.json["response"]["user"] for k in ["email", "authentication_token"]) # try to access protected endpoint with old session - shouldn't work response = other_client.get("/profile") assert response.status_code == 302 assert response.headers[ "Location"] == "http://localhost/login?next=%2Fprofile"
def test_custom_reset_templates(client): response = client.get("/reset") assert b"CUSTOM FORGOT PASSWORD" in response.data with capture_reset_password_requests() as requests: client.post("/reset", data=dict(email="*****@*****.**"), follow_redirects=True) token = requests[0]["token"] response = client.get("/reset/" + token) assert b"CUSTOM RESET PASSWORD" in response.data
def test_basic_custom_forms(app, sqlalchemy_datastore): class MyLoginForm(LoginForm): email = StringField("My Login Email Address Field") class MyRegisterForm(RegisterForm): email = StringField("My Register Email Address Field") class MyForgotPasswordForm(ForgotPasswordForm): email = StringField( "My Forgot Email Address Field", validators=[email_required, email_validator, valid_user_email], ) class MyResetPasswordForm(ResetPasswordForm): password = StringField("My Reset Password Field") class MyChangePasswordForm(ChangePasswordForm): password = PasswordField("My Change Password Field") app.security = Security( app, datastore=sqlalchemy_datastore, login_form=MyLoginForm, register_form=MyRegisterForm, forgot_password_form=MyForgotPasswordForm, reset_password_form=MyResetPasswordForm, change_password_form=MyChangePasswordForm, ) populate_data(app) client = app.test_client() response = client.get("/login") assert b"My Login Email Address Field" in response.data response = client.get("/register") assert b"My Register Email Address Field" in response.data response = client.get("/reset") assert b"My Forgot Email Address Field" in response.data with capture_reset_password_requests() as requests: response = client.post("/reset", data=dict(email="*****@*****.**")) token = requests[0]["token"] response = client.get("/reset/" + token) assert b"My Reset Password Field" in response.data authenticate(client) response = client.get("/change") assert b"My Change Password Field" in response.data
def test_easy_password(client, get_message): with capture_reset_password_requests() as requests: client.post("/reset", data=dict(email="*****@*****.**"), follow_redirects=True) token = requests[0]["token"] # use the token response = client.post( "/reset/" + token, data={"password": "******", "password_confirm": "mypassword"}, follow_redirects=True, ) assert b"This is a very common password" in response.data
def test_reset_passwordless_user(client, get_message): with capture_reset_password_requests() as requests: client.post("/reset", data=dict(email="*****@*****.**"), follow_redirects=True) token = requests[0]["token"] # use the token response = client.post( "/reset/" + token, data={"password": "******", "password_confirm": "awesome sunset"}, follow_redirects=True, ) assert get_message("PASSWORD_RESET") in response.data
def test_spa_get_bad_token(app, client, get_message): """Test expired and invalid token""" with capture_flashes() as flashes: with capture_reset_password_requests() as requests: response = client.post( "/reset", json=dict(email="*****@*****.**"), headers={"Content-Type": "application/json"}, ) assert response.headers["Content-Type"] == "application/json" assert "user" not in response.json["response"] token = requests[0]["token"] time.sleep(1) response = client.get("/reset/" + token) assert response.status_code == 302 split = urlsplit(response.headers["Location"]) assert "localhost:8081" == split.netloc assert "/reset-error" == split.path qparams = dict(parse_qsl(split.query)) assert all(k in qparams for k in ["email", "error", "identity"]) msg = get_message( "PASSWORD_RESET_EXPIRED", within="1 milliseconds", email="*****@*****.**" ) assert msg == qparams["error"].encode("utf-8") # Test mangled token token = ( "WyIxNjQ2MzYiLCIxMzQ1YzBlZmVhM2VhZjYwODgwMDhhZGU2YzU0MzZjMiJd." "BZEw_Q.lQyo3npdPZtcJ_sNHVHP103syjM" "&url_id=fbb89a8328e58c181ea7d064c2987874bc54a23d" ) response = client.get("/reset/" + token) assert response.status_code == 302 split = urlsplit(response.headers["Location"]) assert "localhost:8081" == split.netloc assert "/reset-error" == split.path qparams = dict(parse_qsl(split.query)) assert len(qparams) == 1 assert all(k in qparams for k in ["error"]) msg = get_message("INVALID_RESET_PASSWORD_TOKEN") assert msg == qparams["error"].encode("utf-8") assert len(flashes) == 0
def test_recoverable_template(app, client, get_message): # Check contents of email template - this uses a test template # in order to check all context vars since the default template # doesn't have all of them. with capture_reset_password_requests() as resets: with app.mail.record_messages() as outbox: response = client.post( "/reset", data=dict(email="*****@*****.**"), follow_redirects=True ) assert len(outbox) == 1 matcher = re.findall(r"\w+:.*", outbox[0].body, re.IGNORECASE) # should be 4 - link, email, token, config item assert matcher[1].split(":")[1] == "*****@*****.**" assert matcher[2].split(":")[1] == resets[0]["reset_token"] assert matcher[3].split(":")[1] == app.config["SECURITY_CONFIRM_URL"] # check link link = matcher[0].split(":", 1)[1] response = client.get(link, follow_redirects=True) assert b"Reset Password" in response.data
def test_spa_get(app, client): """ Test 'single-page-application' style redirects This uses json only. """ with capture_reset_password_requests() as requests: response = client.post( "/reset", json=dict(email="*****@*****.**"), headers={"Content-Type": "application/json"}, ) assert response.headers["Content-Type"] == "application/json" assert "user" not in response.json["response"] token = requests[0]["token"] response = client.get("/reset/" + token) assert response.status_code == 302 split = urlsplit(response.headers["Location"]) assert "localhost:8081" == split.netloc assert "/reset-redirect" == split.path qparams = dict(parse_qsl(split.query)) assert qparams["email"] == "*****@*****.**" assert qparams["token"] == token
def test_context_processors(client, app): @app.security.context_processor def default_ctx_processor(): return {"global": "global"} @app.security.forgot_password_context_processor def forgot_password(): return {"foo": "bar-forgot"} response = client.get("/reset") assert b"global" in response.data assert b"bar-forgot" in response.data @app.security.login_context_processor def login(): return {"foo": "bar-login"} response = client.get("/login") assert b"global" in response.data assert b"bar-login" in response.data @app.security.verify_context_processor def verify(): return {"foo": "bar-verify"} authenticate(client) response = client.get("/verify") assert b"CUSTOM VERIFY USER" in response.data assert b"global" in response.data assert b"bar-verify" in response.data logout(client) @app.security.register_context_processor def register(): return {"foo": "bar-register"} response = client.get("/register") assert b"global" in response.data assert b"bar-register" in response.data @app.security.reset_password_context_processor def reset_password(): return {"foo": "bar-reset"} # /reset/token - need to generate a token with capture_reset_password_requests() as requests: response = client.post("/reset", data=dict(email="*****@*****.**"), follow_redirects=True) token = requests[0]["token"] response = client.get(f"/reset/{token}") assert b"global" in response.data assert b"bar-reset" in response.data @app.security.change_password_context_processor def change_password(): return {"foo": "bar-change"} authenticate(client) response = client.get("/change") assert b"global" in response.data assert b"bar-change" in response.data @app.security.send_confirmation_context_processor def send_confirmation(): return {"foo": "bar-confirm"} response = client.get("/confirm") assert b"global" in response.data assert b"bar-confirm" in response.data @app.security.mail_context_processor def mail(): return {"foo": "bar-mail"} client.get("/logout") with app.mail.record_messages() as outbox: client.post("/reset", data=dict(email="*****@*****.**")) email = outbox[0] assert "global" in email.body assert "bar-mail" in email.body
def test_recoverable_flag(app, clients, get_message): recorded_resets = [] recorded_instructions_sent = [] @password_reset.connect_via(app) def on_password_reset(app, user): recorded_resets.append(user) @reset_password_instructions_sent.connect_via(app) def on_instructions_sent(app, user, token): assert isinstance(app, Flask) assert isinstance(user, UserMixin) assert isinstance(token, str) recorded_instructions_sent.append(user) # Test the reset view response = clients.get("/reset") assert b"<h1>Send password reset instructions</h1>" in response.data # Test submitting email to reset password creates a token and sends email with capture_reset_password_requests() as requests: with app.mail.record_messages() as outbox: response = clients.post("/reset", data=dict(email="*****@*****.**"), follow_redirects=True) assert len(recorded_instructions_sent) == 1 assert len(outbox) == 1 assert response.status_code == 200 assert get_message("PASSWORD_RESET_REQUEST", email="*****@*****.**") in response.data token = requests[0]["token"] # Test view for reset token response = clients.get("/reset/" + token) assert b"<h1>Reset password</h1>" in response.data # Test submitting a new password but leave out confirm response = clients.post("/reset/" + token, data={"password": "******"}, follow_redirects=True) assert get_message("PASSWORD_NOT_PROVIDED") in response.data assert len(recorded_resets) == 0 # Test submitting a new password response = clients.post( "/reset/" + token, data={ "password": "******", "password_confirm": "awesome sunset" }, follow_redirects=True, ) assert get_message("PASSWORD_RESET") in response.data assert len(recorded_resets) == 1 logout(clients) # Test logging in with the new password response = authenticate(clients, "*****@*****.**", "awesome sunset", follow_redirects=True) assert b"Welcome [email protected]" in response.data logout(clients) # Test invalid email response = clients.post("/reset", data=dict(email="*****@*****.**"), follow_redirects=True) assert get_message("USER_DOES_NOT_EXIST") in response.data logout(clients) # Test invalid token response = clients.post( "/reset/bogus", data={ "password": "******", "password_confirm": "awesome sunset" }, follow_redirects=True, ) assert get_message("INVALID_RESET_PASSWORD_TOKEN") in response.data # Test mangled token token = ("WyIxNjQ2MzYiLCIxMzQ1YzBlZmVhM2VhZjYwODgwMDhhZGU2YzU0MzZjMiJd." "BZEw_Q.lQyo3npdPZtcJ_sNHVHP103syjM" "&url_id=fbb89a8328e58c181ea7d064c2987874bc54a23d") response = clients.post( "/reset/" + token, data={ "password": "******", "password_confirm": "newpassword" }, follow_redirects=True, ) assert get_message("INVALID_RESET_PASSWORD_TOKEN") in response.data
def test_recoverable_json(app, client, get_message): recorded_resets = [] recorded_instructions_sent = [] @password_reset.connect_via(app) def on_password_reset(app, user): recorded_resets.append(user) @reset_password_instructions_sent.connect_via(app) def on_instructions_sent(app, user, token): recorded_instructions_sent.append(user) with capture_flashes() as flashes: # Test reset password creates a token and sends email with capture_reset_password_requests() as requests: with app.mail.record_messages() as outbox: response = client.post( "/reset", json=dict(email="*****@*****.**"), headers={"Content-Type": "application/json"}, ) assert response.headers["Content-Type"] == "application/json" assert len(recorded_instructions_sent) == 1 assert len(outbox) == 1 assert response.status_code == 200 token = requests[0]["token"] # Test invalid email response = client.post( "/reset", json=dict(email="*****@*****.**"), headers={"Content-Type": "application/json"}, ) assert response.status_code == 400 assert response.json["response"]["errors"]["email"][0].encode( "utf-8") == get_message("USER_DOES_NOT_EXIST") # Test submitting a new password but leave out 'confirm' response = client.post( "/reset/" + token, data='{"password": "******"}', headers={"Content-Type": "application/json"}, ) assert response.status_code == 400 assert response.json["response"]["errors"]["password_confirm"][ 0].encode("utf-8") == get_message("PASSWORD_NOT_PROVIDED") # Test submitting a new password response = client.post( "/reset/" + token + "?include_auth_token", json=dict(password="******", password_confirm="awesome sunset"), headers={"Content-Type": "application/json"}, ) assert all(k in response.json["response"]["user"] for k in ["email", "authentication_token"]) assert len(recorded_resets) == 1 # reset automatically logs user in logout(client) # Test logging in with the new password response = client.post( "/login?include_auth_token", json=dict(email="*****@*****.**", password="******"), headers={"Content-Type": "application/json"}, ) assert all(k in response.json["response"]["user"] for k in ["email", "authentication_token"]) logout(client) # Use token again - should fail since already have set new password. response = client.post( "/reset/" + token, json=dict(password="******", password_confirm="newpassword"), headers={"Content-Type": "application/json"}, ) assert response.status_code == 400 assert len(recorded_resets) == 1 # Test invalid token response = client.post( "/reset/bogus", json=dict(password="******", password_confirm="newpassword"), headers={"Content-Type": "application/json"}, ) assert response.json["response"]["error"].encode( "utf-8") == get_message("INVALID_RESET_PASSWORD_TOKEN") assert len(flashes) == 0